Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 


New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Octillo recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   


Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Octillo’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Octillo recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 


Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Octillo’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 


Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  


Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Octillo Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Octillo recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  


Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Octillo’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 


More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 


Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Octillo’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

Florida Changes its Telemarketing LawsFlorida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Florida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Recently, the State of Florida amended its laws governing telemarketing that have a strong impact on telemarketing and text message marketing targeting Florida residents (and to Florida area codes). These include the amended Florida Do-Not-Call Act (Fla. Stat. Ann. § 501.059) and the Florida Telemarketing Act a/k/a Florida’s “Mini-TCPA” (Fla. Stat. Ann. 502.601, et seq.) (collectively “Florida Laws”).

Impacts of the Florida Laws

The Florida Laws provide a right of action similar to those under the Telephone Consumer Protection Act (“TCPA”). (See Octillo’s article for more information about the TCPA and considerations for text marketing).  Importantly, the Florida Laws create stricter restrictions on telephone solicitations (i.e., sales calls) and commercial telephone calls than those under the TCPA, TCPA regulations, and recent caselaw.

More Complex Restrictions to Navigate

The Florida Laws include requirements that deviate from or are more restrictive than those under the TCPA, TCPA regulations, and recent caselaw (in particular, the U.S. Supreme Court’s recent narrow interpretation of “automatic telephone dialing system” or ATDS). (See Octillo’s article on the SCOTUS decision here).

The Florida Laws are a hot topic and growing concern for businesses, including the contact center industry. On behalf of this industry, the Enterprise Communications Advocacy Coalition (ECAC) recently filed a petition asking the Federal Communications Commission (FCC) to interpret and preempt certain provisions of the Florida laws that “create a more restrictive environment” than the TCPA and TCPA Regulations and “frustrate the federal objective of creating uniform national rules and therefore must be preempted.” See

The most prominent aspects of the Florida Laws that have the potential to impose more restrictive requirements include:

1. Requirements Extend to Florida Residents & Florida Area Codes

The Florida Laws create a rebuttable presumption that telephonic sales calls made to any area code in Florida are made to residents or persons within the state at the time of the call.


2. Call Time Restrictions Changed

The times restrictions under the Florida Laws narrow the permissible call time window period by one hour (from 9 p.m. to 8 p.m.). This one-hour reduction arguably places an increase costs burden, in particular – on telemarketers.


3. New Three Call Frequency Limit

The Florida Laws include a call frequency limit of three “commercial solicitation phone calls” in a 24-hour period on the same subject matter/issue from any number. Imposing this limit when the TCPA does not include a similar limitation could impact telemarketers conducting nationwide calling campaigns.


4. Caller ID Restrictions Changed

The Florida Laws ban the use of technology that “deliberately displays” different caller ID number to conceal the true identity of the caller. This arguably conflicts with the FCC’s TCPA regulations that permit the use of such technology subject to conditions.


5. Automated Equipment/System Undefined & Broader Than ATDS

Under the Florida Laws the term automated system/equipment is not defined and arguably broader than the recent narrow interpretation of ATDS under the TCPA. This could open the door wider for litigation in Florida.


Private Right of Action & Potential Lawsuits   

The amended Florida Do-Not-Call Act creates a private right of action for a called party to sue and recover actual damages, or $500 per violation (whichever is greater) plus attorney’s fees and costs.

Tighter restrictions coupled with the private right of action may lead to increased litigation related to telemarketing and text messaging activities targeting Florida residents or area codes.  A series of civil actions (over 30) were filed since the Florida Laws took effect on July 1st, most dismissed or currently pending.  The Octillo team is watching these cases carefully.


Next Steps for Businesses Marketing to Florida Residents or Florida Area Codes 

As we continue to watch the response to the Florida Laws, marketing teams can take the steps below now to address and incorporate applicable requirements and help mitigate legal risk.

  • Review telemarketing and text marketing practices in light of Florida restrictions
  • Update policies and procedures to comply with Florida requirements
  • Update automated dialing systems/equipment to meet Florida requirements
  • Conduct due diligence/review of vendor systems/equipment used and evaluate compliance with Florida requirements
  • Keep an eye out for a potential increase in litigation

Managing compliance of telemarketing and text message marketing remains a complex issue and the emergence of state-specific requirements such as those under the Florida Laws adds an additional layer of complexity. Businesses should remain proactive and vigilant in maintaining compliance best practices for telemarketing and text message activities.  The Octillo team has deep experience guiding marketing teams and organizations managing compliance and litigation matters under the full spectrum of laws and regulations governing telemarketing and text message marketing.

For more information regarding the Florida Do-Not-Call Act, Florida Telemarketing Act, the TCPA, or related marketing questions email Octillo Member Myriah Jaworski at

*Attorney Advertising: Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.




Auto DialerSCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

SCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

In a long-awaited decision, on April 1, 2021, the Supreme Court of the United States released its opinion in Facebook v. Duguid et al., and unanimously adopted a narrow interpretation of the term “automatic telephone dialing system” or ATDS under the Telephone Consumer Protection Act (“TCPA”).  Hundreds of TCPA class action complaints are filed every year against defendants in all industries leveraging text message or calling consumers.  One of the central legal questions addressed in these litigations is whether the text messaging systems used to contact consumers are ATDS such that TCPA liability can stand. Specifically, if these databases are used to store, but not generate, numbers, can they constitute an ATDS?  The Supreme Court’s opinion answers this question in the negative, and provides necessary clarity to the ATDS definition, and its narrow holding is expected to benefit TCPA defendants nationwide.  

The Allegations in Facebook v. Duguid et al.

In Duguid, Plaintiff Noah Duguid alleges he received several text messages from Facebook alerting him that someone had attempted to access a Facebook account associated with his number from an unknown browser.  Duguid alleged that he did not have a Facebook account and never provided Facebook his telephone number.  As a result, Duguid asserted that Facebook violated the TCPA by maintaining a database that stored phone numbers and programing its equipment to send out automated text messages to those numbers each time the associated account was accessed by an unrecognized device or web browser.

Facebook argued that the database in which it stored telephone numbers was not an ATDS such that TCPA liability could be established, and the Supreme Court agreed.  As defined by the TCPA, an “automatic telephone dialing system” is a piece of equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers.  Based on Duguid’s allegations, at issue was whether that definition encompassed equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.”  The Supreme Court of the United States held that because Facebook’s database system did not involve a random or sequential number generator but simply stored numbers, the text messages sent from the system did not violate the TCPA.

What Now?

The Supreme Court’s holding has the potential to greatly limit the number and scope of putative TCPA class actions in the future as it eliminates from the definition of ATDS those systems which do not use a random or sequential number generator, but simply store numbers. 

Despite this added clarity, TCPA litigation remains complex.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. The Octillo TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

Text MarketingTCPA Considerations When Starting Your SMS Marketing Campaign

TCPA Considerations When Starting Your SMS Marketing Campaign

Consent is the cornerstone of compliance with the Telephone Consumer Protection Act (“TCPA”).  It is imperative that business and marketing teams have a strong understanding of this before leveraging text messaging or automated calls into their marketing campaigns.  Similarly, it is critical to understand when prior express written consent is required, if any exceptions may apply to your text messaging campaign practices, the importance of documenting consent, and other best practices that can be leveraged for obtaining prior express written consent in an online environment.

Understanding the TCPA

The TCPA was enacted in 1991, amending the Communications Act of 1934, and sought to restrict unwanted telephonic solicitations from companies.  The TCPA grants the Federal Communications Commission (“FCC”) the authority to develop rules related to telemarketing, the use of automated telephone dialers, artificial or prerecorded voice messages, SMS text messages, and fax machines. 

Many businesses leverage text messaging or SMS marketing to reach out to current and potential customers and while this can be a great marketing tactic, careful attention should be paid when using SMS text messages to communicate with customers, even where a preexisting business relationship exists, as there are steep penalties involved for initiating improper text messages or calls. In fact, the statute provides for damages in the amount of $500 per improper text message, which can quickly add up when you are sending them out en masse.  With these hefty fines, compliance with the TCPA should be taken into consideration before embarking on any SMS text messaging campaign.

Affirmative, Written/Digital Consent & Opt-Out

Under the TCPA, you must obtain written or digital consent before sending promotional SMS text messages.  As such, you always want to be sure your teams are obtaining affirmative written consent before beginning any SMS text messaging marketing campaign.  It is mandatory to obtain this affirmative written or digital consent before sending promotional SMS text messages. 

In Vandenberg & Sons Furniture, Inc. v. Alliance Funding Grp., a California corporation that provided financing for equipment leasing to small businesses faxed a Michigan corporation that is in the furniture business in 2012.  No. 1:15-CV-1255, 2021 WL 222171 (W.D. Mich. January 22, 2021).  At the bottom of the two-page fax, there was an opt-out notice that provided that the fax recipient with instruction on how to opt out of future fax advertisements.  Id. Over the next four years, the equipment leasing business sent out hundreds of thousands of fax advertisements to the furniture business and others.  Id.  The Western District of Michigan recently held that as the equipment leasing business failed show any evidence it had obtained affirmative written consent from the individuals it sent faxes to, a class potentially worth over a $100 million dollars could be formed.  Id.

Best SMS Practices to Follow for Text Marketing

As stated, obtaining (and documenting) proper consent is foundational.  One recommendation for obtaining affirmative consent is to present a just-in-time notice at the point of collection of a telephone number.  A small dialogue box should confirm that the individual is authorizing the collection of the phone number and consents to be contacted by text messages.  The TCPA recommends marketers retain the consent for a minimum of four years.  This affirmative consent needs to be duly signed by the customers, which can be written, digital or a simple opt-in for a campaign.  Moreover, under the TCPA, customers must also be provided with an option to opt of out any such marketing campaign, being presented with the choice of continuing to receive messages.

To best align with TCPA guidelines, here are some additional best practices that your business should be following when undertaking text messaging as part of your marketing campaign:

  1. We recommend mentioning the details regarding opting out of your campaign at least once every month.  Include a small message addressing the same at the end of your marketing text.
  2. Look into the opt-out requests and process them as soon as possible (it is advisable to acknowledge in real time).  This provides your customers with a sense of reassurance and makes your activities more organized.
  3. Along with the details regarding opting out of your campaigns, it is important to include contact details for your customer care services at least once every month.  If the details are precise, you can add them to every marketing SMS you send to your customers.
  4. Always keep a track of an opt-out request once it has been received.  Ensure all the procedures are carried out efficiently and the concerned customer is successfully opted out of receiving your messages.  Also, inform the customer through a final SMS, confirming the fact that they will stop receiving similar messages from you in future.  It is also advisable to provide details of opting back in for your SMS campaign, in case the customer feels the need to do so in future.

Like many areas of compliance, building an infrastructure within your organization to address the new and evolving legal landscape surrounding the use of text messages under the TCPA can help your business stay ahead of the curve and prevent costly litigation.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. Our TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

CAN-SPAMCAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

CAN-SPAM, TCPA and CASL – Best Practices for Marketing Teams

Using digital communications to reach customers has never been more popular, especially as the pandemic pushes more businesses to make consumer interactions contactless. From email to SMS, marketing teams have taken business online—but doing so brings a specific set of risks regarding data security and privacy. It is easy to get tripped up if you do not have a good grasp of the basic legal guidelines that govern commercial emails.  

In the U.S., the most relevant law when launching a digital marketing campaign is CAN-SPAM. This law sets the rules that all companies need to follow when sending marketing messages via email. The Telephone Consumer Protection Act of 1991 (TCPA) covers SMS messages and phone calls. Canada’s Anti-Spam Legislation (CASL) covers digital communications originating in that country. If you are wondering why businesses should be paying attention to these regulations, take note: according to the FTC, each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $43,280.

What Kinds of Emails are Regulated?

Under CAN-SPAM, the rules only apply to commercial emails (or Commercial Electronic

Messages (CEM) under CASL). These are messages sent with the purpose of advertising or promoting a product or service. When evaluating the overall purpose of an email, it is important to look at the content of the message, hyperlinks and even contact information. In general, ask if the message:

• Includes offers to purchase, sell, barter or lease a product, goods or a service

• Includes offers to provide a business or investment opportunity

• Promotes a person who can do any of the above things

If the email contains both commercial sales promotion and transactional information (a receipt, a confirmation, notifications about an existing subscription or service, etc.), then the email is regulated if the recipient would regard the primary purpose of the email to be commercial in nature.

What About Social Media and Text Messaging?

Messages transmitted via social networking sites is a bit of a grey area. Some federal courts have ruled that CAN-SPAM’s definition of “electronic mail message” includes messages transmitted to a social network user’s inbox, news feed or wall. It is also important to check the terms and conditions of each social media platform you intend to use – many have limits on how marketers can use them.

And because social media, email and SMS marketing are all intertwined, it is important to note that the TCPA restricts telephone solicitations and the use of automated phone equipment. It lays out very strict solicitation rules that require explicit customer consent for commercial SMS messages.

Basic Guidelines for Sending Commercial Emails

If you are ready to draft commercial email campaign, these 7 basic guidelines outlined by the FTC are a good place to start:

1. Don’t use false or misleading header information in the “From” and “To” lines.

2. Don’t use deceptive subject lines.

3. Identify the message as an ad.

4. Tell recipients where you are located.  

5. Provide a clear way to unsubscribe.  

6. Honor opt-out requests promptly.

7. Monitor contractors or vendors working on your behalf.  

It is important to note that in Canada, marketers must have consent for both commercial email and text messages. If not, you need to send an email requesting express consent or find another way for the recipient to opt in to receive future emails or text messages. Acheck box at checkout or on your website is not sufficient.

Additional Resources For Marketing

Many businesses, regardless of size, leverage some form of marketing on a regular basis to market and communicate with their client population. Whether its regular email marketing newsletters or text messages designed to communicate and market to your customers, there are some best practices that we at Octillo recommend following.  Our attorneys are also technologists and certified privacy professionals.

Additionally, our experienced team at Octillo helps client navigate those rules and any other similar regulations as your organization’s data security and privacy program is evaluated from a compliance standpoint. There are many low-cost, high-impact protective measures that can be implemented with the assistance of counsel to make sure your business has a legally defensible compliance posture.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.